List Archive: gentoo-dev
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
On Sat, Oct 08, 2011 at 04:39:40PM -0700, "Paweł Hajdan, Jr." wrote:
> On 10/8/11 3:43 PM, Robin H. Johnson wrote:
> >> 1. Why are we using _only_ MD5 and SHA1 as the checksums? Shouldn't we
> >> be using something stronger?
> > Fixed in Catalyst now.
> > http://git.overlays.gentoo.org/gitweb/?p=proj/catalyst.git;a=commit;h=42b4f6608682cf03954918ecce7923330a1656fe
> > So when the stagebuilders update their Catalyst, they will be generated
> > with newer hashes.
> Thank you for a quick reaction, but maybe in one aspect it was too
> tells people to use md5sum, and the patch above _removes_ md5 sum, which
> means the Handbook instructions now won't work.
> Suggested course of action:
> 1. Please re-add md5 sum.
> 2. File a bug to modify the handbook to verify sha sum instead.
> 3. Then remove the checksum.
> >> 2. I noticed the checksums are signed (.asc files). With what key are
> >> they signed? How is that key handled, and how to ensure people use the
> >> right key when verifying the signature?
> > Documented here:
> > http://www.gentoo.org/proj/en/releng/
> Ah, I just forgot about that page. Okay, so can we also update the
> Handbook to include GPG signature checking?
It DOES already mention checking the signature:
Also opened another bug for correcting keys.
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail : firstname.lastname@example.org
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85